Rate Limiting

Overview

A common use case for Repose is rate limiting.
It limits how many requests per some unit of time (e.g., 10 requests per minute) are allowed to be made.
In this recipe, we’ll be using the X-PP-User header to indicate who we are for rate limiting purposes.
For additional info on populating that header and on rate limiting by groups, see the Rate Limiting Filter documentation.

Configuration

System Model

The filter can be enabled by adding it to the list of filters in the System Model.

Rate Limiting

After the filter has been added to the System Model, the example configuration can copied/moved from the examples directory to the configuration files directory.
The example configuration for rate limiting is sufficient for testing and will limit requests to the origin service to 10 times per minute.

rate-limiting.cfg.xml

<?xml version="1.0" encoding="UTF-8"?><rate-limitingxmlns="http://docs.openrepose.org/repose/rate-limiting/v1.0"><!--
Defines an endpoint with a matching regex to bind GET requests for
returning live rate limiting information.
--><request-endpointuri-regex="/limits"include-absolute-limits="true"/><!-- Protects the Origin Service from being flooded. --><global-limit-group><limitid="global"uri="*"uri-regex=".*"value="1000"unit="MINUTE"/></global-limit-group><!-- Limits for all other requests --><limit-groupid="limited"groups="limited"default="true"><limitid="get"uri="/service/*"uri-regex="/service/([\d^/]*)/.*"http-methods="GET"unit="SECOND"value="1"/><limitid="put"uri="/service/*"uri-regex="/service/([\d^/]*)/.*"http-methods="PUT"unit="MINUTE"value="5"/><limitid="post"uri="/service/*"uri-regex="/service/([\d^/]*)/.*"http-methods="POST"unit="HOUR"value="15"/><limitid="delete"uri="/service/*"uri-regex="/service/([\d^/]*)/.*"http-methods="DELETE"unit="DAY"value="2"/><limitid="all"uri="*"uri-regex="/.*"http-methods="POST PUT GET DELETE"unit="MINUTE"value="10"/></limit-group><!-- Limits for WhiteListed IPs --><limit-groupid="unlimited"groups="unlimited"default="false"/></rate-limiting>

Testing

Script

You can use this script to quickly make 11 requests to Repose to confirm that rate limiting is working.

This is real handy if you have a single Repose node, however if you scale your Repose cluster horizontally, then you will need to configure for Distributed Rate Limiting for it to behave as you would expect it to.

Distributed Rate Limiting

If no Distributed Datastores are available, then rate limiting will use the local datastore and each node will allow the configured rate through.
This is not typically the desired behavior and is easily remedied.
By default, rate limiting will be distributed using the standard Distributed Datastore (hash-ring) if it is available.
However, the Distributed Datastore must be enabled in the System Model.
Furthermore, any of the datastore types can be used to store rate limiting information.
The Distributed Datastore documentation has more information on how to properly enable and configure them.